If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Strange UDP(137) connection attempts

My firewall logs become stranger and stranger. I have had a lot of connections attempts for 2-3 weeks on my port 137 with UDP from several differents IPs. Obviously, there is always this sort of connection attempts on this port, usually 5 or 6 times each hours, but as you can view my logs of a little connection today, it's far more than usual things.
I have a simple dial-up connection, my port 137 is closed and I use strong rules for my firewall. I have some hypothesis but I want to hear your opinions about this. Thanks.

I agree with IchNiSan, some type of worm. The W32/OpaServ.serv worm has mutated several times in the last few months which also does this type of scan.

Significant NetBIOS traffic (UDP) is caused by this worm. One of the early indications of this worms activity was the increase in port 137 hits on firewalls. This traffic is caused by the worm issuing WINS queries across contiguous IP ranges. The spreading mechanism observed in testing is outlined below:

the worm issues WINS query (to retrieve NetBIOS name).
the worm then tries to establish a NetBIOS session to the remote machine.
if successful the worm attempts to spread via connecting to \\%machinename%\C using SMB (Server Message Block) commands (ie. requiring open 'C' share on remote machine). This worm can infect password-protected shares if the security patch is not installed.
Please Note: if this patch is installed, but the share is not password protected, the worm will still spread to the machine.

If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.

Thanks for those links. I had suspected something like this but I was not sure. This infection seems really important (in the point of view of my logs at least). I ask me why the mass media have not already made headlines about those "new evil internet virii"? I remind only some articles about BugBear on specialized sites.

Bugbear got a little play on CNN, msn, etc. when it first appeared. I think the news people are getting tired of reporting every "boring" virus as it shows up. Iloveyou and Codered wore them out I think..

It is probably a worm (like nimda, bugbear, or the other myriad of worms) or it could be people attempting to send those annoying windows messenger popup ads. The best thing to do is to setup a session with a sniffer to look at the content of those packets, then it would be very very clear what is going on.

/nebulus

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

nebulus200 > I thought it was a worm cause I don't know how an attaker could easily retrieve me after each connection if I'm not infected by something (I use a dial-up account) and how he could obtain any interesting results spoofing all those IP adresses.
Those captures seems to be clear. All the time the same sort of packets (NetBios names queries) from differents IPs. It's an infection.
An infection which also concerns my isp's routers (I have just discovered this looking the source of the second packet)!

Do you have the packet dump (packet contents) of the request? There are lots of things that can cause a netbios name request to be issues, not all of them are nefarious. With M$ it is sometimes hard to tell exactly what is going on, I guess I was expecting to see a little more than just it asking for your netbios name (think of it like mickysoft DNS), it could be just the beginning of something more, like for example checking to see if it has netbios running, then if it did, something more would happen. Really hard to say, if you still can't find answers, you might want to offer a sacrificial lamb out there to see what they are up too (just pay very very very close attention to the box to make sure it is not abused).

Perhaps if you have some old equipment, install a M$ OS with everything patched, but turned on, allow access to it via netbios, let them do whatever, and then watch what was done, that might help out a little bit and be a little easier...

/nebulus

PS if you do post the verbose contents of the snoop, please sanitize to remove your IP/sensitive info.

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

As I have turned off all my NetBios sharing before removing my firewall protection, my computer didn't send any answer, that's why the comunication stopped at this point without providing more information. And as I have not a lot of equipment, I can't make the experience to watch what happens exactly with NetBios sharing turned on. Sorry.
But it would probably be some commands to install and run the worm.